MFA with Microsoft Authenticator when logging in to Windows 10 device

%3CLINGO-SUB%20id%3D%22lingo-sub-2840307%22%20slang%3D%22en-US%22%3EMFA%20with%20Microsoft%20Authenticator%20when%20logging%20in%20to%20Windows%2010%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2840307%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20domain%20joined%20Windows%2010%20computers%2C%20synced%20to%20Azure%20AD%20(hybrid%20join).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Azure%20we%20have%20conditional%20access%20MFA.%20Devices%20are%20managed%20by%20MECM%2FIntune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20we%20enable%20MFA%20prompt%20during%20Windows%20login%3F%20I%20know%20that%20Windows%20Hello%20exists%20however%20this%20is%20not%20what%20we%20are%20looking%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20isn't%20anything%20new%20or%20ground%20breaking%2C%20we%20want%20to%20enable%20Authenticator%20MFA%20prompt%20when%20users%20login%20with%20their%20username%2Fpassword%20to%20the%20workstation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuo%20has%20this%20feature%20for%20many%20years%20now.%20It%20has%20been%20requested%20and%20suggested%20on%20the%20now%20defunct.%20Azure%20feedback%20site%20for%20awhile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20in%20the%20works%20to%20have%20something%20like%20this%3F%20Not%20everyone%20in%20the%20enterprise%20wants%20to%20roll%20Windows%20Hello.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fanswers%2Fquestions%2F43810%2Fwindows-10-mfa-at-login-on-azure-ad.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fanswers%2Fquestions%2F43810%2Fwindows-10-mfa-at-login-on-azure-ad.html%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.reddit.com%2Fr%2Fsysadmin%2Fcomments%2Fdbt3kh%2Fhow_can_we_enable_mfa_on_a_windows_10_login%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.reddit.com%2Fr%2Fsysadmin%2Fcomments%2Fdbt3kh%2Fhow_can_we_enable_mfa_on_a_windows_10_login%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2840307%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2840737%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Microsoft%20Authenticator%20when%20logging%20in%20to%20Windows%2010%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2840737%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F220326%22%20target%3D%22_blank%22%3E%40Mirza%20Dedic%3C%2FA%3E%26nbsp%3BHello%2C%20yes%20of%20course.%20You%20can%20go%20passwordless%20with%20the%20Authenticator%2C%20you%20can%20even%20narrow%20it%20down%20so%20it's%20the%20only%20option%20that%20can%20be%20used%20(but%20perhaps%20not%20recommended).%20You%20simply%20have%20to%20enable%20it%20in%20Azure%20and%20add%20your%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ChristianJBergstrom_0-1634108712434.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316957i81C5C6ACF5AFCEA9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ChristianJBergstrom_0-1634108712434.png%22%20alt%3D%22ChristianJBergstrom_0-1634108712434.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ChristianJBergstrom_1-1634108786706.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316958i167E2083139CD12F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ChristianJBergstrom_1-1634108786706.png%22%20alt%3D%22ChristianJBergstrom_1-1634108786706.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ChristianJBergstrom_2-1634109116790.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316960i23B1240B81AB4414%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ChristianJBergstrom_2-1634109116790.png%22%20alt%3D%22ChristianJBergstrom_2-1634109116790.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ChristianJBergstrom_3-1634109238637.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F316961iC6C39A7931887ABE%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22ChristianJBergstrom_3-1634109238637.png%22%20alt%3D%22ChristianJBergstrom_3-1634109238637.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20use%20a%20conditional%20access%20policy%20requiring%20MFA%20and%20direct%20your%20users%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fmysecurityinfo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fmysecurityinfo%3C%2FA%3E%26nbsp%3Bto%20set%20up%20their%20info.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20a%20TAP%20if%20no%20other%20methods%20are%20set%20up%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-temporary-access-pass%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20a%20Temporary%20Access%20Pass%20in%20Azure%20AD%20to%20register%20Passwordless%20authentication%20methods%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20reference%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-passwordless-phone%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPasswordless%20sign-in%20with%20the%20Microsoft%20Authenticator%20app%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2843550%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Microsoft%20Authenticator%20when%20logging%20in%20to%20Windows%2010%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2843550%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F588790%22%20target%3D%22_blank%22%3E%40ChristianJBergstrom%3C%2FA%3E%26nbsp%3BHow%20do%20you%20set%20up%20a%20conditional%20access%20policy%20to%20require%20MFA%20at%20windows%20logon%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2844799%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Microsoft%20Authenticator%20when%20logging%20in%20to%20Windows%2010%20device%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2844799%22%20slang%3D%22en-US%22%3EThere%20isn't%20such%20functionality%20within%20Conditional%20Access%20that%20will%20require%20users%20to%20use%20MFA%20when%20signing%20in.%20So%20in%20the%20above%20scenario%2C%20Windows%20Hello%20for%20Business%20is%20the%20way%20to%20go.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

We have domain joined Windows 10 computers, synced to Azure AD (hybrid join).

 

In Azure we have conditional access MFA. Devices are managed by MECM/Intune.

 

How can we enable MFA prompt during Windows login? I know that Windows Hello exists however this is not what we are looking for.

 

This isn't anything new or ground breaking, we want to enable Authenticator MFA prompt when users login with their username/password to the workstation.

 

Duo has this feature for many years now. It has been requested and suggested on the now defunct. Azure feedback site for awhile.

 

Is there anything in the works to have something like this? Not everyone in the enterprise wants to roll Windows Hello.

 

https://docs.microsoft.com/en-us/answers/questions/43810/windows-10-mfa-at-login-on-azure-ad.html 

https://www.reddit.com/r/sysadmin/comments/dbt3kh/how_can_we_enable_mfa_on_a_windows_10_login/

 

4 Replies

@Mirza Dedic Hello, yes of course. You can go passwordless with the Authenticator, you can even narrow it down so it's the only option that can be used (but perhaps not recommended). You simply have to enable it in Azure and add your users.

 

ChristianJBergstrom_0-1634108712434.png

 

ChristianJBergstrom_1-1634108786706.png

 

ChristianJBergstrom_2-1634109116790.png

 

ChristianJBergstrom_3-1634109238637.png

 

Then use a conditional access policy requiring MFA and direct your users to https://aka.ms/mysecurityinfo to set up their info.

 

You can also use a TAP if no other methods are set up 

Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Micr...

 

For reference 

Passwordless sign-in with the Microsoft Authenticator app - Azure Active Directory | Microsoft Docs

@ChristianJBergstrom How do you set up a conditional access policy to require MFA at windows logon? 

There isn't such functionality within Conditional Access that will require users to use MFA when signing in. So in the above scenario, Windows Hello for Business is the way to go.

@Steve Whitcher @BilalelHadd Hello folks, seems as I misinterpreted the initial question. As noted I responded as how to configure passwordless with Authenticator.

 

What's the use case here @Mirza Dedic? Ever considered using FIDO2 keys if security is the primary requirement.